From: Stephanie Chung (stepchung@yahoo.com)
Date: Tue Apr 19 2005 - 16:06:42 EDT
Hi List,
I received feedback that some don't work with previous
instruction "how to run SSH through inetd".
I think I need to make it a little clear about this to
make it works.
- Change /etc/rc.config.d/sshd - SSHD_START=0 (not
allow to run its own SSH at system startup)
- /sbin/init.d/secsh stop (stop SSH daemon)
- Add the following line to /etc/inetd.conf
ssh stream tcp nowait root /opt/ssh/sbin/sshd
sshd -i
- Add the following line to /etc/services
ssh 22/tcp #SSH service
- Add allow or deny IPs in this file:
/var/adm/inetd.sec (ssh allow 124.32.)
- /sbin/init.d/inetd stop
- /sbin/init.d/inetd start
__________________________________
Do you Yahoo!?
Plan great trips with Yahoo! Travel: Now over 17,000 guides!
http://travel.yahoo.com/p-travelguide
attached mail follows:
thx for the feedback
i tried the below and it did not work
i did all the steps to allow just one IP address
instead of rebooting the server (test700d) i just ran "inetd -c"
below are the line/s for each important file
vi /etc/rc.config.d/sshd
SSHD_START=0
vi /etc/inetd.conf
ssh stream tcp nowait root /usr/sbin/sshd sshd -i
vi /var/adm/inetd.sec
ssh allow 157.165.180.201
inetd -c
now when i run ssh from 157.165.180.201 (hawkeye) it says
(mahrendt:hawkeye)/home/mahrendt[213]> ssh test700d -l root
Secure connection to test700d refused; reverting to insecure
method.
Using rsh. WARNING: Connection will not be encrypted.
Password:
any ideas why its not working?
thx, marc
-----Original Message-----
From: Stephanie Chung [mailto:stepchung@yahoo.com]
Sent: Thursday, April 14, 2005 8:53 AM
To: hpux
Subject: [HPADM] [SUMMARY] HP-UX SSH
Thanks to:
Jeff Fisher
Eef Hartman
Erik Platzbecker
Carlos Montana
ramill@wm.edu
Jorge Fábregas
and Others...
ORIGINAL QUESTION:
I installed hp-ux ssh to replace telnet and it's
running fine. My question is how to allow only IP
range 198.152.*.* to access the SSH and restrict other
IPs. Since HP-UX ssh is running its own daemon
(/opt/ssh/sbin/sshd) and not using 'inetd', put the
restriction in 'inetd.sec' won't help. Thanks you for
your help.
SOLUTION:
This is from Jorge Fábregas:
You need to run the ssh daemon thru inetd. Do the
following:
1- Stop the ssh daemon
2- Make sure it won't start on machine startup by
editing /etc/rc.config.d/sshd
Change SSHD_START=1 to 0
3- Modify /etc/inetd.conf to enable ssh. You must use
the "-i" switch in order to allow it to run thru
inetd. I have the following line on my inetd.conf
ssh stream tcp nowait root /usr/sbin/sshd sshd -i
4- Modify /var/adm/inetd.sec accordingly. Something
like: ssh allow 172.16.0.10
etc...
Now you can get the ip filtering benefits provided by
inetd. Of course, this is one scenario. You can still
use IPFILTER if you want (and keep running SSHD
stand-alone).
-----------------------------------------------------
Use tcp wrappers with /etc/hosts.deny, /etc/hosts.allow.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact
majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner:
owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse
only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse &
search)
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:47 EDT